|
Chris PeBenito |
0fbfa5 |
# macros for the cdrecord domain
|
|
Chris PeBenito |
0fbfa5 |
# Author: Thomas Bleher <ThomasBleher@gmx.de>
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
define(`cdrecord_domain', `
|
|
Chris PeBenito |
0fbfa5 |
type $1_cdrecord_t, domain, privlog;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The user role is authorized for this domain.
|
|
Chris PeBenito |
0fbfa5 |
role $1_r types $1_cdrecord_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib($1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
read_locale($1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow ps to show cdrecord and allow the user to kill it
|
|
Chris PeBenito |
0fbfa5 |
can_ps($1_t, $1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t $1_cdrecord_t:process signal;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# write to the user domain tty.
|
|
Chris PeBenito |
0fbfa5 |
access_terminal($1_cdrecord_t, $1)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t privfd:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_resmgrd_connect($1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
a08248 |
read_content($1_cdrecord_t, $1, cdrecord)
|
|
Chris PeBenito |
a08248 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow searching for cdrom-drive
|
|
Chris PeBenito |
2705f9 |
allow $1_cdrecord_t device_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t device_t:lnk_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow cdrecord to write the CD
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
2705f9 |
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
|
|
Chris PeBenito |
65a252 |
can_access_pty($1_cdrecord_t, $1)
|
|
Chris PeBenito |
a08248 |
allow $1_cdrecord_t $1_home_t:dir search;
|
|
Chris PeBenito |
a08248 |
allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
|
|
Chris PeBenito |
a08248 |
allow $1_cdrecord_t $1_home_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|